When Popcorn Time ransomware offers you Door #2, don’t choose it

Ransomware that takes your computers hostage has hit an all time low, from a morality point of view. While you have to admire their creativity, the people who come up with these new extortion schemes seem to have zero sense of morality. In fact, they have become quite good at playing on your emotional weaknesses. In this new ransomware scheme, called Popcorn Time, they offer you a tantalizing alternative to paying their ransom to unlock your encrypted files.

The first indication of trouble

After getting you to click on a link or attachment that triggers the Popcorn Time malware infection, you will first see the clever stall tactic that buys time to encrypt your files. You’ll see a fake download indicator, with a spinning icon. What it’s actually doing is encrypting your files, while you wait.

Then, you are presented with a stark notification screen that tells you that your system has been encrypted, and you have 24 hours to pay for them 1.0 Bitcoin (currently about $975 US) to be unlocked, or they will be lost forever.

Then comes the option of choosing Door #2

In a cruel twist, the Popcorn Time ransomware also gives you another sneaky option. Instead of paying the ransom, it tells you that you can pass along an infection link to others. If two others pay the ransom before your time is up, then your files will be unlocked for free. You can probably imagine what a temptation this might be for some people. Perhaps a recipient of this message might know of somebody they are in a feud with, somebody who’s done them wrong, or somebody they just don’t like.

I call this the “Door #2” option, in homage to the old TV game show called, “Let’s Make a Deal”, where live audience contestants win a prize, but then are offered a chance to trade their prize for a mystery prize hiding behind a number of doors on the stage.

So, would you consider trading in your ransomware liability for a chance to stick it to a couple of your least favorite individuals or business organizations?

Why you shouldn’t consider the option of passing along the infection link

While it may be tempting to take the Door #2 option, remember that it is illegal in most countries to intentionally spread malware or damage computers belonging to others. It’s just not a good idea to spread this kind of threat, or give it any more life than it already has. You should not make yourself an accomplice to a crime just to save yourself the cost of being a victim.

But it’s for a good cause… NOT!

The Popcorn Time ransomware also plays a sympathy card by telling you that the money you pay will be used to help Syrian refugees. However, analysis by researchers has shown that after a number of failed guesses your files will be deleted. So this “philanthropic initiative” has no patience for people who can’t type correctly. There is no reason to believe that any of the proceeds actually go to helping Syrian refugees. This is just another social engineering trick to con you into playing along.

How should we deal with this kind of morally bankrupt attacker?

This kind of social engineering is becoming the new norm, because there are very few ways to fight threats that play on people’s emotions, and use their system access rights to install dangerous malware. Some technologies are trying to recognize and prevent ransomware from getting a foothold. However, as with any kind of malware, it’s authors can constantly update it and test it against current security software, to make sure its attack will have a good chance for success.

So, as usual, for the time being, at least, it comes down to using good malware prevention practices including updated security software (to catch known threats) and training staff how to handle suspicious emails, to avoid triggering them.

Frequently backing up your files to remote systems is still the best way to recover from an infection like this, so you don’t have to pay the ransom in order to regain control of your systems.